quant-analyst

Security checks across malware telemetry and agentic risk

Overview

The skill is a broad financial-data and trading-workflow helper, but its sensitive capabilities are disclosed and mostly scoped to user-directed Alva/finance tasks.

Install only if you want an agent connected to Alva-style finance workflows. Review any CLI install/upgrade, login, scheduled automation, public sharing grant, memory update, or trading-related step before approving it, and avoid storing third-party financial credentials outside the provider's intended secret manager.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill's invocation section describes broad actions like querying context, reviewing strategies, and implementing trading systems, but it does not define clear trigger boundaries, authorization checks, or scoped preconditions. In a high-impact financial context, this ambiguity can cause the agent to activate for loosely related requests and produce or advance trading guidance or system changes without sufficient user confirmation or policy gating.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal